Support » Plugin: BP Better Messages » Cookie Not Marked as Secure

  • Resolved grosso2020

    (@grosso2020)


    Доброго дня!

    Вчера проверял свой сайт утилитой тестирования безопасности netsparker.
    По итогу по вашему плагину было выявлены незащищенные cookie.
    Несмотря на то что в wp-config.php стоит

    @ini_set(‘session.cookie_httponly’, true);
    @ini_set(‘session.cookie_secure’, true);
    @ini_set(‘session.use_only_cookies’, true);

    Отчет netsparker
    Cookie Not Marked as Secure
    HIGH
    CONFIRMED
    URL : https://****.com/wp-admin/admin-ajax.php
    Identified Cookie(s) : bp-messages-last-check

    CLASSIFICATION
    PCI 3.1 6.5.10
    PCI 3.2 6.5.10
    OWASP 2013 A6
    OWASP 2017 A3
    CWE 614
    CAPEC 102
    WASC 15
    CVSS 3.0 SCORE
    Base 5,3 (Medium)
    Temporal 5,3 (Medium)
    Environmental 5,3 (Medium)
    CVSS Vector String
    CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    Vulnerability Details
    Netsparker identified a cookie not marked as secure, and transmitted over HTTPS.

    This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack.

    Impact
    This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie), an attacker might intercept it and hijack a victim’s session. If the attacker can carry out a man-in-the-middle attack, he/she can force the victim to make an HTTP request to steal the cookie.
    Actions to Take
    See the remedy for solution.
    Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information, you do not have to mark it as secure.)
    Remedy
    Mark all cookies used within the application as secure.
    Required Skills for Successful Exploitation
    To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or to the victim’s network. Attackers need to be understand layer 2, have physical access to systems either as waypoints for the traffic, or have locally gained access to to a system between the victim and the web server.

    Заголовки
    Set-Cookie: PHPSESSID=8cb6706845733f476930c46bca1a8c67; path=/; secure; HttpOnly
    Set-Cookie: bp-messages-last-check=1544347804; expires=Wed, 09-Jan-2019 09:30:04 GMT; Max-Age=2678400; path=/

Viewing 1 replies (of 1 total)
  • Plugin Author wordplus

    (@wordplus)

    This cookie is needed to be insecure to implement properly synchronization of unloaded messages on user and server side when using ajax protocol.

    Its not containing any sensitive info.

    Thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘Cookie Not Marked as Secure’ is closed to new replies.